gabriel / musehub public
BREAKING fix/auth-security-sweep-2 #1 / 1
gabriel · 73 days ago · Apr 10, 2026 · Diff

security: enforce write-access checks on proposals/releases/webhooks MCP and REST

- execute_merge_proposal: add actor param + _require_write_access guard (owner or write/admin collaborator) - execute_submit_proposal_review: early 403 if reviewer is empty string - execute_create_release: add _require_write_access guard after repo fetch - releases.py REST: add _guard_repo_owner helper; apply to create_release, attach_release_asset, delete_release_asset - webhooks.py REST: add _guard_repo_owner helper; apply to create_webhook, delete_webhook - dispatcher.py: pass actor= to execute_merge_proposal dispatch - test_mcp_write_tools.py: add TestProposalMergeAccessGuard (forbidden for non-owner + unauthenticated) - test_releases.py: add 3 REST 403 tests (non-owner create/attach-asset/delete-asset) - test_musehub_webhooks.py: add 2 REST 403 tests (non-owner create/delete webhook)

sha256:f8e28b9c5c96be5a63290254406fa457e3b55662f1118e0feec1905a0cbcfdc9 sha
sha256:d3ae4478c0410dbb6ee5f0e3c33739ed3e5329d10f45fa29c56be010d1dfd1ef parent
sha256:7fd16cbef07c20140182dd0cced8a0fe52679a5271b641eee2668f07f80bda95 snapshot
← Older Oldest on fix/auth-security-sweep-2
All commits
Newer → Latest on fix/auth-security-sweep-2

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:f8e28b9c5c96be5a63290254406fa457e3b55662f1118e0feec1905a0cbcfdc9 --body "your comment"